McAfee: Hacking Team Babuk Has Flaws In It’s Business Models
Recently, ransomware hacking groups have been mostly focusing on Microsoft Windows OS. McAfee researched dedicated Linux and Unix based ransomware, but cross platform ransomware didn’t happen. But, hackers are always on the go, McAfee experts recently discovered that from the past few months, many hackers are experimenting with the binary writings in cross-platform script Golang (Go). The worst case scenario was confirmed when Babuk on an underground platform said that it was building a cross-platform focused on ESXi or VMware and Linux/Unix systems.
Various core backend operating systems in organizations are using the nix operating systems. Besides this, in case of virtualization, wonder about ESXi hosting virtual desktop environment or various servers. McAfee previously wrote a brief blog covering many coding mess ups that Babuk team did while building. McAfee reports “Initially, in our research the entry vector and the complete tactics, techniques and procedures (TTPs) used by the criminals behind Babuk remained unclear. However, when its affiliate recruitment advertisement came online, and given the specific underground meeting place where Babuk posts, defenders can expect similar TTPs with Babuk as with other Ransomware-as-a-Service families.”
Despite Babuk being new to the scene, the group is continuously hacking high profile targets , even though various issues related to binary leading to a stage where files can’t be retrieved, even if the transaction was successful. In the end, the problems faced by Babuk developers while creating the ESXi ransomware could’ve led to change of business model, from extortion to encryption and data theft. To summarise it all, the built and coding of decryption softwares is poorly done, which means that if an organisation is to pay a ransom, the process of files decryption can be delayed without the guarantee that stolen files will be completely retrieved.
“In its recruitment posting Babuk specifically asks for individuals with pentest skills, so defenders should be on the lookout for traces and behaviors that correlate to open source penetration testing tools like winPEAS, Bloodhound and SharpHound, or hacking frameworks such as CobaltStrike, Metasploit, Empire or Covenant. Also be on the lookout for abnormal behavior of non-malicious tools that have a dual use, such as those that can be used for things like enumeration and execution, (e.g., ADfind, PSExec, PowerShell, etc.) We advise everyone to read our blogs on evidence indicators for a targeted ransomware attack” said McAfee in its blog.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.